Smishing (SMS Phishing)

High Threat Level

Phishing attacks delivered via SMS/text messages targeting mobile device users with fake alerts and malicious links

76%

Of organizations experienced smishing attacks in 2023

60%

Click rate for smishing vs 3% for email phishing

$87B

Estimated global losses to mobile phishing (2023)

What is Smishing?

Smishing (SMS phishing) uses text messages instead of emails to trick victims into clicking malicious links, revealing personal information, or calling fraudulent phone numbers. Mobile users are more vulnerable because smartphones display less information about links and senders.

Smishing is particularly dangerous because text messages feel more personal and urgent than emails, people check their phones constantly, and mobile browsers make it harder to verify URLs before clicking. Many smishing attacks lead to credential harvesting sites or malware downloads.

Why Smishing is So Effective:

Text messages have 98% open rate vs 20% for emails
Users more likely to trust texts from "known" senders
Mobile screens hide full URLs making verification difficult
Sense of urgency: "Your account will be locked in 24 hours"
Less sophisticated spam filtering than email systems
Many users unaware that SMS can contain phishing attacks

Common Smishing Scenarios

1. Fake Package Delivery

"USPS: Your package is on hold. Confirm delivery address: [LINK]. Failure to respond will return package to sender."

2. Bank Security Alert

"[Bank Name]: Unusual activity detected on your account ending in 4532. Verify immediately: [LINK] or call 1-800-XXX-XXXX."

3. Account Suspension

"Netflix: Payment failed. Update billing info within 24 hours to avoid suspension: [LINK]"

4. Prize/Gift Card Scam

"Congratulations! You've been selected for a $500 Amazon gift card. Claim within 48 hours: [LINK]"

5. COVID/Health Alert

"Department of Health: You were exposed to COVID-19. Schedule free test: [LINK]. Bring photo ID."

Real-World Example

FedEx/USPS Package Smishing Campaign (2023)

Millions of texts sent impersonating FedEx and USPS claiming missed deliveries. Links led to fake package tracking sites that harvested credit card information for "redelivery fees."

Text Message:

"FedEx: We missed you! Your package requires $3.98 redelivery fee. Track and pay: hxxps://fedex-usredelivery[.]com/track?id=US82749372"

Red Flags:

FedEx never texts about redelivery fees
Suspicious URL (fedex-usredelivery vs fedex.com)
Urgency: "Pay now or package returned"
No tracking number matches FedEx format
Requests credit card for small "fee"

Detection Red Flags

Unexpected texts from unknown numbers claiming to be from companies you use
Urgency tactics: "Act within 24 hours," "Account will be locked," "Package returned"
Shortened URLs: bit.ly, tinyurl.com hide real destination
Generic greetings: "Dear customer" instead of your name
Requests for personal information: SSN, credit card, passwords via text
Too good to be true: Free prizes, gift cards, unexpected refunds
Spelling/grammar errors: Even in short texts
Mismatched sender: Claims to be "Bank of America" but from random 10-digit number
Suspicious links: Misspelled domains, extra hyphens, .tk/.ml domains

Prevention Strategies

1. Never Click Links in Unexpected Texts

If text claims to be from your bank, open banking app or call number on back of card
For package delivery, open carrier's app or website directly
Don't call phone numbers provided in suspicious texts
Verify by contacting company through official channels

2. Verify Before Acting

Hover/long-press on links to preview destination URL (doesn't work with shortened URLs)
Look for misspellings in domain names (amaz0n.com vs amazon.com)
Check official company website for legitimate contact methods
Call company using number from their official website, not text message

3. Enable Mobile Security Features

Enable spam text filtering (iOS: Filter Unknown Senders, Android: Spam protection)
Install mobile security app with link scanning (Lookout, Norton Mobile, Malwarebytes)
Keep phone OS updated for latest security patches
Use biometric authentication (Face ID, fingerprint) for sensitive apps

4. Never Provide via Text:

Social Security number or driver's license
Credit card numbers or CVV codes
Online banking passwords or PINs
One-time verification codes (unless YOU initiated the request)

5. Report and Block

Forward smishing texts to 7726 (SPAM) - works for all major carriers
Report to FTC at ReportFraud.ftc.gov
Block the sender's number
Delete the message after reporting

SMS + Email Combination Attacks

Attackers often combine text messages with email for multi-channel attacks:

Pattern 1: SMS → Email Click

"Package delivery attempted. Check email for tracking link." Then phishing email arrives.

Pattern 2: Email → SMS Verification

Phishing email says "We sent verification code to your phone" to appear legitimate.

Pattern 3: SMS Alert → Email Form

"Unusual account activity detected. Complete security form we emailed to verify identity."

Defense: Use HeaderScope

When you receive emails mentioned in text messages or texts about emails, use HeaderScope to verify email authenticity before clicking any links or providing information.

If You Clicked a Smishing Link

Do not enter any information on the page if still open
Close browser/app immediately and clear browsing history
Run mobile antivirus scan to check for malware
Change passwords for accounts related to the scam (bank, email, etc.)
Enable MFA on all critical accounts if not already enabled
Monitor accounts for unauthorized activity for 90+ days
Contact your bank if financial information was potentially compromised
Report to carrier by forwarding text to 7726 (SPAM)
File FTC complaint at ReportFraud.ftc.gov

Verify Related Emails with HeaderScope

When text messages reference emails or vice versa, use HeaderScope to verify any related emails before taking action. Check sender authentication and origin to catch phishing attempts.

Analyze Email Headers →